The revelation comes just days after the hackers were booted from its network. Organizations do not usually give computer forensic investigators the green light to talk about an intrusion. Data breach response services are often retained under strict non-disclosure agreements, and discussions about a particular security company's customers are - generally speaking - taboo.

But the DNC, which apparently was infiltrated by two groups believed to have ties to - or even be sponsored by - the Russian government, allowed incident-response firm Crowdstrike to talk publicly about the attacks. The computer security company provides 24-hour breach response services, competing with firms including FireEye's Mandiant and PwC.

"The reality is at Crowdstrike we work these types of cases weekly and almost never can we tell the public about it," Dmitri Alperovitch, Crowdstrike's co-founder and CTO, tells Information Security Media Group.

The DNC approached Crowdstrike about going public with the intention of also providing advanced warning about the methods the hackers used to infiltrate its network. Of course, the DNC's decision also has political ramifications.

"They want to tell the American public what the Russian intelligence agencies are doing," Alperovitch says.

The DNC likely had several motivations in coming forward and disclosing the breach, says Dan Holden, director of Arbor Network's security engineering and response team. For starters, if the organization kept the breach private but it leaked out later, it would look bad, he says.

Also, the FBI is still investigating Hillary Clinton over how she handled classified information on her own private email server while she was secretary of state. The Democrats "certainly don't want to have anything else dealing with computer security hovering over her," Holden says.

Plus, U.S.-Russian spying tales are "always a classic good-guy, bad-guy story for many Americans who lived through the Cold War," he says.

And security expert Bruce Schneier, chief technology officer of IBM's Resilient, says that this attack has all the hallmarks of a straight-up spy story. "This seems like standard political espionage to me," Schneier says in a blog post. "We certainly don't want it to happen, but we shouldn't be surprised when it does."

Hacked by Fancy Bear, Cozy Bear

According to Crowdstrike, two hacking groups - nicknamed Fancy Bear and Cozy Bear - gained independent access to the DNC's network, although its unclear how they initially broke in. Cozy Bear, which Alperovitch says may be linked with Russia's state security service, known as the FSB, compromised the DNC about a year ago, targeting communications such as email and instant messaging.

The disclosure comes just a few days after Crowdstrike unplugged the DNC's network completely on June 10 to begin cleansing its systems. "We rebuilt it from scratch," Alperovitch says. "The remediation event went through the entire weekend. Our folks didn't sleep."

Before remediating the DNC's network, Crowdstrike had to figure out what was going on. The company installed its Falcon endpoint protection software on the DNC's equipment, which Alperovitch says quickly honed in on two separate groups.

The investigation showed that Fancy Bear gained access in April and focused on collecting DNC research on opposing candidates, including Donald Trump, the presumptive Republican presidential nominee. Crowdstrike has a "high level" of confidence that group is connected with Russia's GRU, the country's military intelligence unit, Alperovitch says.

Vendors often publish information about hacking incidents they've studied, which benefits marketing campaigns but also contributes to a growing body of knowledge for security researchers. Invariably, companies and organizations that are victims are either not described at all or only vaguely by market vertical, such as defense or telecommunications.

The same day as the DNC attacks were revealed, Palo Alto Networks published a blog post describing a spear-phishing attack against a U.S. government organization. Spear-phishing is the practice of carefully targeting a victim by email and tricking the person to click on a malicious link or attachment.

As is customary, Palo Alto did not name the organization. But it did say the group behind the attack was the Sofacy group, which is also known as APT28 - FireEye uses that naming convention for hacking groups. Regardless of nomenclature, that's the same hacking collective that Crowdstrike calls Fancy Bear.

Indicators of Compromise Released

Crowdstrike was also permitted to release so-called indicators of compromise, or IOCs, which list technical details that other organizations can use to spot similar attacks and thus protect their networks. In this case, a detailed blog post written by Alperovitch lists hashes for a malware implant used by Cozy Bear called SeaDaddy, as well as IP addresses for command-and-control servers tied to the attacks.

But both of the Russian hacking groups apparently used very little malware. Once inside the networks, they instead employed tools such as Microsoft's PowerShell scripting platform and the Windows Management Instrumentation, which is a framework for managing computers across a network. Security software wouldn't flag use of these IT tools as being malicious.

Going forward, Crowdstrike has also been retained to lock down and protect the DNC's network. "We have to assume the Russians will try to get back in," Alperovitch says.

About the Author

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.in, you agree to our use of cookies.